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Introduction 


The Information Commissioner's Audit Committee (the Committee) 
provides scrutiny, oversight and assurance of risk control and governance 
procedures. Minutes of its meetings are available on the ICO’s website 


at www.ico.org.uk. 
Membership and attendance 


The Committee’s chair is Ailsa Beaton who is a non-executive director and 
member of the Management Board. Ailsa took over from lan Watmore as 
chair as of the meeting in December 2016. 


There are two other members of the Audit Committee; Jane McCall who is 
a non-executive director and member of the Management Board, and 
Roger Barlow who is an independent member. 


The Committee met on 6 June 2016, 12 September 2016, 12 December 
2016 and 7 March 2017. Members' attendance at the meetings is detailed 
in the ICO’s Annual Report and Accounts 2016-2017. 


Christopher Graham, Information Commissioner up to 29 June 2016, 
attended the June 2016 meeting of the Committee. Elizabeth Denham, 
the current Commissioner, attended the September and December 
meetings. Elizabeth was represented by the Deputy Commissioner 
(Operations) and Deputy CEO at the March 2017 meeting. 


Representatives of the National Audit Office (NAO), the ICO’s external 
auditors, and Grant Thornton, who provide the ICO’s internal audit 
function, attended all of the meetings either in person or by telephone. 


Secretariat was provided by the Corporate Affairs department. 


Meetings during 2016/ 17 


The Committee has, as standing items at all of its meetings; 

e an update on current issues from the Information Commissioner or 
her deputies as appropriate; 

e areview of the risk register; 

e progress reports from the internal and external auditors; 

e discussion of audit reports and performance in clearing outstanding 
internal and external audit recommendations; and 

e areview of reported fraud, whistleblowing and security incidents. 


In addition during the year the Committee considered: 
e the Annual Report €: Accounts for 2015/16 and 2016/17; 
e the ICO’s Change Programme focused on preparing the ICO for 
implementation of the General Data Protection Regulation in 2018; 
e forecasting fee income and future funding models; 
e financial planning for 2017/18 and 
e funding of a Grants and Contributions scheme. 


Audit 


During the year the Committee reviewed the audit plan and performance 
against it on a continual basis, and considered internal audit reviews of: 
Fines recovery; 

Cryptographic Controls; 

IT asset management (phases 1 € 2); 

Investigations; 

People Strategy; 

Stakeholder engagement; and 

Follow up 


Grant Thornton made 30 recommendations during the year; of which 25 
have been actioned. Five remain outstanding. 


There is one outstanding internal audit recommendation from 2015/16 
relating to access rights for the finance system. 


Grant Thornton's Annual Internal Audit Report 2016/17 concluded that, in 
the areas examined, the activities of risk management, corporate 
governance and internal controls were suitably designed to achieve the 
objectives required, and activities and controls examined were operating 
with sufficient effectiveness to provide reasonable, but not absolute, 
assurance that the related objectives were achieved during the period 
under review. 


The NAO Audit Completion Report 2016/17 concluded that the 
Comptroller and Auditor General anticipate certifying the 2016/17 


financial statement with an unqualified audit opinion, without 
modification. 


Audit Committee Opinion 


Given the opinion of the internal auditors and external auditors as 
expressed in their annual reports, and the other information available to it 
from its work during the year, the Audit Committee can therefore provide 
the Commissioner, as Accounting Officer, with reasonable assurance that 
the ICO’s control mechanisms are working satisfactorily. 


The Committee is satisfied with the quality of internal and external audit 
and believes that by virtue of this work it is able to take a measured and 
diligent view of the quality of financial and other systems of reporting and 
control within the ICO. It is satisfied that, other than in the areas of 
potential weakness outlined above, the ICO has appropriate systems of 
internal control that work well. In respect of the potential areas of 
weakness, the Committee looks forward to continuous improvement in 
controls in the future. 


In respect of its own performance the Committee considers that it has 
directed the internal audit function towards areas relevant to the risks 
facing the ICO. It has constructively challenged both management and 
internal audit function and received a high level of cooperation and 
support from all concerned. Responses to audit recommendations are 
generally positive and the Committee is satisfied that management within 
ICO is committed to maintaining an appropriate level of internal control 
and prudent use of resources. 


This opinion feeds into the Commissioner’s drafting of the Governance 


Statement for 2016/17 which was considered by the Audit Committee at 
its March and June 2017 meetings. 


June 2017 


